Gartner put together a very simple and concise webinar that details why PCI DSS exists, what is the reality of meeting compliance, and what is required for compliance. Avivah did a nice job of succinctly articulating the challenges of PCI DSS validation, and positives and negatives of the standard. A few choice quotes I took from the presentation:
- Process is still too manual
- Self assessment forms do not allow for inclusion of compensating controls
- VISA & MasterCard have not detailed what is permissible compensating controls
- Too broad in scope and too detail in others
- The program should be streamlined to not require a vendor to have provide approval for compensating controls
Positive / Neutral points:
- They have done better than the government
- Hire an assessor – do what is reasonable, feel comfortable, and submit a report on compliance
- Be assertive, take a hard look because there are a lot of breaches and this data is extremely valuable
- Think about reason for storing – there is no reason to store magnetic strip information. There is not business case for this, and occurs because programmers wrote the programs to take the information for no valid reason.”
Excerpts from Avivah Latin Litan, Research VP of Gartner
Comments, Criticisms, and Feedback…
My thoughts on her closing remarks are the following:
“Process is still too manual” & “Self assessment forms do not allow for inclusion of compensating controls”
- I agree the process is too manual and that the ability to communicate compensating controls is important, but the management and interpretation of these on the self-assessment forms would be impossible given the numbers of entites require to complete these forms.
“VISA & MasterCard have not detailed what is permissible compensating controls”
- A published list of accepted compensating controls would be a great addition to both the MasterCard and VISA website, and would improve communications for all parties involved.
“Too broad in scope and too detail in others”
- I disagree that the scope is too broad. The scope is defined solely to those assets that store, process, and transmit CHD. If organizations control the distribution of this data, meeting PCI DSS validation requirements is very feasible.
“The program should be streamlined to not require a vendor to have provide approval for compensating controls”
- Requiring a third party to sign-off on requirements has been a standard of assurance and trust services since the beginning of time, and one that I cannot imagine disappearing anytime soon. I think that such validation would not be required if a published list were made available.
“They have done better than the government”
- I certainly agree that VISA / MasterCard and the other card processors have done better at specifying the requirements and aligning them to internationally accepted standards. This unfortunately is the focus of some of those that are against the program
“Hire an assessor – do what is reasonable, feel comfortable, and submit a report on compliance”
- I agree with these comments, although I don’t always think hiring an assessor is the right step. As I have posted previously I believe theat organizations should leverage existing talent and bring in external service providers ONLY when it becomes necessary. This saves the companies resources, leverages the smarts in the company, and efficiently leverages the third parties talents.
“Be assertive, take a hard look because there are a lot of breaches and this data is extremely valuable”
- CHD should be classified as the most sensitive type of data in every organization. It should be labeled, segregated, and adequately protected in transit and while at rest. If these steps are taken, organizations will meet their regulatory, industry, and customer obligations.
“Think about reason for storing”
- Storing track data is against operating regulations and should be halted immediately. As for the rest of the data, store what is necessary and take appropriate precautions.
Some credit: I spotted this gartner webcast on Martin’s site. Please visit, he has some great insight into the security world. It seems with PCI DSS we are always learning more and finding better ways of understanding the standard and challenges. If anyone knows of other webinars or other resources, please post away below!!
James DeLuccia IV